Atlassian Confluence Data Center and Confluence Server are weak to a important distant code execution (RCE) vulnerability that impacts variations launched earlier than December 5, 2023, together with out-of-support releases.
The flaw is tracked as CVE-2023-22527, rated important (CVSS v3: 10.0), and is a template injection vulnerability permitting unauthenticated attackers to carry out distant code execution on impacted Confluence endpoints.
“Most not too long ago supported variations of Confluence Data Center and Server should not affected by this vulnerability because it was in the end mitigated throughout common updates,” reads Atlassian’s safety bulletin.
“However, Atlassian recommends that prospects take care to put in the newest model to guard their cases from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.”
The RCE bug impacts Confluence Data Center and Server variations 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and eight.5.0 by means of 8.5.3.
Atlassian mounted the flaw in Confluence Data Center and Server variations 8.5.4 (LTS), 8.6.0 (Data Center solely), and 8.7.1 (Data Center solely), which have been launched in December. However, it’s unclear in the event that they quietly mounted the bug final month or if it was inadvertently mounted throughout their common software program improvement.
These variations have been launched earlier and are not the newest anymore, so admins who’ve moved to a newer launch are protected from CVE-2023-22527 exploitation.
Atlassian notes that 8.4.5 and all earlier launch branches which have already fallen out of help won’t obtain a safety replace below its safety bug repair coverage.
Users of these variations are really useful to maneuver to an actively supported launch as quickly as attainable.
Atlassian has offered no mitigation or workarounds for the highlighted safety downside, so making use of the obtainable updates is the really useful pathway.
A FAQ web page Atlassian arrange for the flaw explains that CVE-2023-22527 doesn’t have an effect on Confluence LTS v7.19.x, Cloud Instances hosted by the seller, or every other Atlassian product.
However, it’s famous that cases not related to the web and people that don’t enable nameless entry are nonetheless exploitable, even when the chance is lowered.
For these unable to use the obtainable updates instantly, it’s endorsed to take affected techniques offline, again up the information to a location outdoors the Confluence occasion, and monitor for malicious exercise.
Atlassian Confluence bugs are sometimes leveraged by attackers within the wild, together with state-sponsored risk teams and opportunistic ransomware teams.
In the case of CVE-2023-22527, Atlassian can’t share any significant indicators of compromise (IoCs) to assist detect exploitation.
The a number of attainable entry factors and skill to make use of the flaw in chained assaults broaden its scope an excessive amount of to have the ability to pinpoint definitive exploitation indicators.